Cowrie Honeypot: 4 Weeks Later

After running our Cowrie SSH honeypot for four weeks in the wild, it gathered a total of 1,775 unique IPs attempting to connect. Go read the first post to see what and how i did it.

Attack Volume & Growth

- 8,838 total connection attempts from 1,775 unique IP addresses.

- IP with most connection attempts: 61.50.119.110 (China Unicom Beijing) with 5,855 attempts (66% of the total).

Pew Pew Map: Attack Visualizer

To visualize the global nature of the attacks, I created an interactive map using Leaflet.js. To really get a impression of the connection attempts zoom in and scroll around from different parts of the world.

Country Distribution

Top attacker source countries by number of unique IPs:

  • 🇨🇳 China — 219 IPs
  • 🇺🇸 United States — 143 IPs
  • 🇰🇷 South Korea — 90 IPs
  • 🇷🇺 Russia — 68 IPs
  • 🇮🇳 India — 67 IPs
  • 🇮🇶 Iraq — 38 IPs
  • 🇭🇰 Hong Kong — 33 IPs
  • 🇹🇼 Taiwan — 31 IPs
  • 🇸🇪 Sweden — 24 IPs
  • 🇲🇾 Malaysia — 24 IPs

Major cloud markets dominate, with China and the U.S. leading brute force traffic.

In terms of unique attempts, China orignating IP were far and away the most aggresive:

ASN Distribution

I enriched each IP with ASN info and plotted top networks with the most numbner of unique IPs trying to connect:

  • 🏢 ASN 4134 (CHINANET-HN-XX) — 156 IPs
  • 🏢 ASN 4766 (KORNET-KR) — 103 IPs
  • 🏢 ASN 4837 (IATCBGL) — 96 IPs
  • 🏢 ASN 203214 (AE-EARTHLINK-DMCC) — 60 IPs
  • 🏢 ASN 9808 (CMNET) — 57 IPs
  • 🏢 ASN 4818 (DIGI-AS-AP) — 52 IPs
  • 🏢 ASN 8075 (MSFT) — 36 IPs
  • 🏢 ASN 17421 (EMOME-NET) — 31 IPs
  • 🏢 ASN 7922 (BOSTON-CBC-9) — 28 IPs
  • 🏢 ASN 4760 (NETVIGATOR) — 27 IPs

Then I also plotted which ASNs had the most connection attempts, with 5,867 total connection attempts from China Unicom Beijing Province Network (ASN 4808) machines:

Most Common Open Ports

I From the enriched Shodan data, we extracted the most frequently observed open ports across scanning hosts. This helps profile attacker tooling and default configurations:

  • Port 22 (SSH) — 434 instances
  • Port 80 (HTTP) — 231 instances
  • Port 443 (HTTPS) — 203 instances
  • Port 23 (Telnet) — 97 instances
  • Port 53 (DNS) — 91 instances
  • Port 21 (FTP) — 84 instances
  • Port 161 (SNMP) — 84 instances
  • Port 2222 (Alt SSH) — 52 instances
  • Port 123 (NTP) — 45 instances
  • Port 8443 (Alt HTTPS) — 42 instances
  • Port 8080 (Alt HTTP) — 37 instances
  • Port 1701 (L2TP) — 34 instances
  • Port 1723 (PPTP) — 31 instances
  • Port 500 (IPSec) — 27 instances
  • Port 8888 (Alt HTTP) — 25 instances

SSH (434 instances) and HTTP/HTTPS (231/203 instances) are the most commonly exposed ports among connecting systems, with older protocols like Telnet (97 instances) and SNMP (84 instances) also frequently present.

The distribution of ports, including VPN protocols and alternative service ports, suggests these systems represent a mix of network infrastructure devices and servers with varying configuration practices.

Most Common Services

Service fingerprinting from Shodan reveals the connecting systems are predominantly embedded devices and network infrastructure running various SSH implementations and lightweight web servers:

  • 🔧 unknown — 1,290 instances
  • 🔧 OpenSSH — 215 instances
  • 🔧 Dropbear sshd — 191 instances
  • 🔧 nginx — 138 instances
  • 🔧 lighttpd — 74 instances
  • 🔧 net-snmp — 56 instances
  • 🔧 Apache httpd — 53 instances
  • 🔧 Ubiquiti AirRouter — 50 instances
  • 🔧 PPTP — 30 instances
  • 🔧 MikroTik bandwidth-test server — 14 instances
  • 🔧 Linksys WRT45G modified dropbear sshd — 14 instances
  • 🔧 Busybox telnetd — 14 instances
  • 🔧 Samba — 12 instances
  • 🔧 MySQL — 12 instances
  • 🔧 ZyXEL ZyWALL sshd — 9 instances

The high number of "unknown" services (1,290 instances) indicates either non-standard software configurations or services that Shodan cannot identify, while specific router and embedded device signatures suggest these connection attempts originate from network infrastructure equipment.

Future Enhancements

Based on the findings, a next iteration might include:

  • Deploy multi-protocol honeypots (Telnet port 23, HTTP/HTTPS, SNMP) to capture broader attack vectors and cross-protocol exploitation patterns
  • Implement real-time threat intelligence integration with multiple feeds beyond Shodan to correlate IPs with known malware families and botnet affiliations
  • Deploy distributed honeypots across multiple cloud providers and geographic regions to understand location-based attack variations